cbcvebase.
CVE-2011-5007
published 2011-12-25

CVE-2011-5007: Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.20%
99.4th percentile
Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080.

Affected

1 ranges
VendorProductVersion rangeFixed in
3ssoftwarecodesys<= 3.4

Detection & IOCsextracted from sources · hover to see the quote

port8080/TCP
port8080/TCP
commandGET /<775 bytes junk><ret><shellcode> HTTP/1.0\r\n\r\n\r\n
other3S_WebServer
  • Detect exploit attempts as oversized HTTP GET requests to port 8080/TCP where the URI length exceeds 775 bytes, targeting the CoDeSys CmpWebServer component.
  • Fingerprint vulnerable CoDeSys web servers by checking HTTP response banners for the string '3S_WebServer'; presence indicates a potentially vulnerable instance.
  • Monitor for outbound connections to port 4444/TCP from SCADA/PLC hosts following inbound HTTP traffic to port 8080, which is indicative of a successful reverse shell.
  • Flag HTTP GET requests to port 8080/TCP containing bad characters \x00\x09\x0a\x3f\x20\x23\x5e in the URI path as potential exploit traffic against CoDeSys web server.
  • For ABB AC500 PLCs, also monitor port 80/TCP for oversized URL requests, as the device may be configured to serve the vulnerable CoDeSys web server on port 80 instead of 8080.
  • ·The vulnerable CoDeSys web server component is NOT active in the default configuration; it must be explicitly enabled. Exposure only exists when the web server is turned on.
  • ·The exploit RET address (0x7E4456F7 / jmp esp in user32.dll) is specific to Windows XP SP3; different offsets or return addresses may be required for other OS versions.
  • ·The ABB AC500 PLC may serve the vulnerable web server on any arbitrary port, not just 8080; detection rules scoped only to port 8080 may miss attacks on reconfigured devices.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.